国家互联网应急中心CNCERT:
2021年12月10日,国家信息安全漏洞共享平台(CNVD)收录了Apache Log4j2远程代码执行漏洞(CNVD-2021-95914)。攻击者利用该漏洞,可在未授权的情况下远程执行代码。目前,漏洞利用细节已公开,Apache官方已发布补丁修复该漏洞。CNVD建议受影响用户立即更新至最新版本,同时采取防范性措施避免漏洞攻击威胁。
目录:
(一)、基于主机日志的检测
1.Grep/Zgrep
2.Grep/Zgrep(漏洞利用变种检测)
3.SIGMA规则
4.YARA规则
(二)、基于网络流量的NIDS检测(Snort/Suricata规则)和Zeek检测脚本
(三)其他信息
- 攻击Payload
- C2域名
- 攻击IP
- 受影响的Log4j版本哈希
(一)、基于主机日志的检测:
1.Grep/Zgrep
# sudo egrep -i -r '${jndi:(ldap
# sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '${jndi:(ldap
2.Grep/Zgrep(漏洞利用变种检测)
# sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap
# sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap
3.SIGMA规则
1) web_cve_2021_44228_log4j.yml
title: Log4j RCE CVE-2021-44228 Generic
id: 5ea8faa8-db8b-45be-89b0-151b84c82702
status: experimental
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228
author: Florian Roth
date: 2021/12/10
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
condition: keywords
falsepositives:
- Vulnerability scanning
level: high
2) web_cve_2021_44228_log4j_fields.yml
title: Log4j RCE CVE-2021-44228 in Fields
id: 9be472ed-893c-4ec0-94da-312d2765f654
status: experimental
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs
author: Florian Roth
date: 2021/12/10
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-User-Agent|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
user-agent|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
cs-uri|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
cs-referrer|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
condition: selection
falsepositives:
- Vulnerability scanning
level: high
4.YARA规则
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
meta:
description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 70
strings:
$x1 = "${jndi:ldap:/"
$x2 = "${jndi:rmi:/"
$x3 = "${jndi:ldaps:/"
$x4 = "${jndi:dns:/"
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
meta:
description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 80
strings:
$x1 = /${jndi:(ldap|ldaps|rmi|dns):/[/]?[a-z-.0-9]{3,120}:[0-9]{2,5}/[a-zA-Z.]{1,32}}/
$fp1r = /(ldap|rmi|ldaps|dns):/[/]?(127.0.0.1|192.168.|172.[1-3][0-9].|10.)/
condition:
$x1 and not 1 of ($fp*)
}
rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
meta:
description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/Reelix/status/1469327487243071493"
date = "2021-12-10"
score = 70
strings:
/* curl -s */
$sa1 = "Y3VybCAtcy"
$sa2 = "N1cmwgLXMg"
$sa3 = "jdXJsIC1zI"
/* |wget -q -O- */
$sb1 = "fHdnZXQgLXEgLU8tI"
$sb2 = "x3Z2V0IC1xIC1PLS"
$sb3 = "8d2dldCAtcSAtTy0g"
condition:
1 of ($sa*) and 1 of ($sb*)
}
rule SUSP_JDNIExploit_Indicators_Dec21 {
meta:
description = "Detects indicators of JDNI usage in log files and other payloads"
author = "Florian Roth"
reference = "https://github.com/flypig5211/JNDIExploit"
date = "2021-12-10"
score = 70
strings:
$xr1 = /ldap://[a-zA-Z0-9.]{7,80}:[0-9]{2,5}/(Basic/Command/Base64|Basic/ReverseShell|Basic/TomcatMemshell|Basic/JBossMemshell|Basic/WebsphereMemshell|Basic/SpringMemshell|Basic/Command|Deserialization/CommonsCollectionsK|Deserialization/CommonsBeanutils|Deserialization/Jre8u20/TomcatMemshell|Deserialization/CVE_2020_2555/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)//
condition:
filesize < 100MB and $xr1
}
rule SUSP_EXPL_OBFUSC_Dec21_1{
meta:
description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/testanull/status/1469549425521348609"
date = "2021-12-11"
score = 60
strings:
/* ${lower:X} - single character match */
$ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
/* ${upper:X} - single character match */
$ = { 24 7B 75 70 70 65 72 3A ?? 7D }
/* URL encoded lower - obfuscation in URL */
$ = "$%7blower:"
$ = "$%7bupper:"
$ = "%24%7bjndi:"
$ = "/$%7bjndi:"
condition:
1 of them
}
(二)、基于网络流量的NIDS检测(Snort/Suricata规则)和Zeek检测脚本
SID 编号 2034647-2034658
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
Zeek检测脚本
https://github.com/nturley3/zeek-http-rce
其他:
攻击Payload
https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890
C2 域名
https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
攻击IP
https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
受影响的Log4j版本哈希
https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
参考资料:
RCE 0-day exploit found in log4j, a popular Java logging package from netsec
往期精选
围观
热文
热文
原文始发于微信公众号(天御攻防实验室):Log4j远程代码执行漏洞(CVE-2021-44228)利用检测规则
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论